terraform-aws-wafv2:使用AWS WAFv2和AWS托管规则集创建WAF

  • N8_679986
    了解作者
  • 44KB
    文件大小
  • zip
    文件格式
  • 0
    收藏次数
  • VIP专享
    资源类型
  • 0
    下载次数
  • 2022-06-02 17:55
    上传日期
terraform-aws-wafv2 创建AWS WAFv2 ACL并支持以下内容 AWS托管规则集 与应用程序负载平衡器(ALB)关联 阻止IP集 全球IP速率限制 不同URL的自定义IP速率限制 自2020年12月2日起,AWS GovCloud不支持AWSManagedRulesAmazonIpReputationList托管规则集,该规则集在此模块中默认启用。 在AWS支持该规则集之前,您将需要定义自己的managed_rules 。 地形版本 Terraform 0.13及更高版本。 将模块版本固定为〜> 2.0。 将拉取请求提交到master分支。 地形0.12。 将模块版本
terraform-aws-wafv2-master.zip
  • terraform-aws-wafv2-master
  • versions.tf
    150B
  • outputs.tf
    112B
  • .github
  • dependabot.yml
    331B
  • workflows
  • tidy.yml
    1.3KB
  • test
  • terraform_aws_wafv2_test.go
    5.9KB
  • .markdownlintrc
    158B
  • LICENSE
    11.1KB
  • .kodiak.toml
    132B
  • examples
  • alb
  • outputs.tf
    56B
  • main.tf
    3.9KB
  • variables.tf
    292B
  • .gitignore
    91B
  • .golangci.yml
    76B
  • .circleci
  • config.yml
    1.6KB
  • Makefile
    418B
  • go.sum
    62.2KB
  • README.md
    5.9KB
  • scripts
  • pre-commit-go-mod
    112B
  • check-go-version
    460B
  • make-test
    593B
  • main.tf
    6.5KB
  • .pre-commit-config.yaml
    1003B
  • go.mod
    109B
  • variables.tf
    3.6KB
内容介绍
# terraform-aws-wafv2 Creates AWS WAFv2 ACL and supports the following * AWS Managed Rule Sets * Associating with Application Load Balancers (ALB) * Blocking IP Sets * Global IP Rate limiting * Custom IP rate limiting for different URLs **As of 12/2/2020, AWS GovCloud does not support the `AWSManagedRulesAmazonIpReputationList` managed rule set, which is enabled by default in this module. Until AWS supports that rule set, you will need to define your own `managed_rules`.** ## Terraform Versions Terraform 0.13 and newer. Pin module version to ~> 2.0. Submit pull-requests to master branch. Terraform 0.12. Pin module version to ~> 1.0. Submit pull-requests to terraform012 branch. ## Usage with CloudFront **Note: The Terraform AWS provider needs to be associated with the us-east-1 region to use with CloudFront.** ```hcl module "cloudfront_wafv2" { source = "trussworks/wafv2/aws" version = "0.0.1" name = "cloudfront-web-acl" scope = "CLOUDFRONT" } ``` ## Usage with Application Load Balancer (ALB) ```hcl module "alb_wafv2" { source = "trussworks/wafv2/aws" version = "0.0.1" name = "alb-web-acl" scope = "REGIONAL" alb_arn = aws_lb.alb.arn associate_alb = true } ``` ## Usage blocking IP Sets ```hcl resource "aws_wafv2_ip_set" "ipset" { name = "blocked_ips" scope = "REGIONAL" ip_address_version = "IPV4" addresses = [ "1.2.3.4/32", "5.6.7.8/32" ] } module "wafv2" { source = "../../" name = "wafv2" scope = "REGIONAL" ip_sets_rule = [ { name = "blocked_ips" action = "block" priority = 1 ip_set_arn = aws_wafv2_ip_set.ipset.arn } ] } ``` <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --> ## Requirements | Name | Version | |------|---------| | terraform | >= 0.13.0 | | aws | >= 3.0 | ## Providers | Name | Version | |------|---------| | aws | >= 3.0 | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | alb\_arn | ARN of the ALB to be associated with the WAFv2 ACL. | `string` | `""` | no | | associate\_alb | Whether to associate an ALB with the WAFv2 ACL. | `bool` | `false` | no | | filtered\_header\_rule | HTTP header to filter . Currently supports a single header type and multiple header values. | <pre>object({<br> header_types = list(string)<br> priority = number<br> header_value = string<br> action = string<br> })</pre> | <pre>{<br> "action": "block",<br> "header_types": [],<br> "header_value": "",<br> "priority": 1<br>}</pre> | no | | group\_rules | List of WAFv2 Rule Groups. | <pre>list(object({<br> name = string<br> arn = string<br> priority = number<br> override_action = string<br> excluded_rules = list(string)<br> }))</pre> | `[]` | no | | ip\_rate\_based\_rule | A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span | <pre>object({<br> name = string<br> priority = number<br> limit = number<br> action = string<br> })</pre> | `null` | no | | ip\_rate\_url\_based\_rules | A rate and url based rules tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span | <pre>list(object({<br> name = string<br> priority = number<br> limit = number<br> action = string<br> search_string = string<br> positional_constraint = string<br> }))</pre> | `[]` | no | | ip\_sets\_rule | A rule to detect web requests coming from particular IP addresses or address ranges. | <pre>list(object({<br> name = string<br> priority = number<br> ip_set_arn = string<br> action = string<br> }))</pre> | `[]` | no | | managed\_rules | List of Managed WAF rules. | <pre>list(object({<br> name = string<br> priority = number<br> override_action = string<br> excluded_rules = list(string)<br> }))</pre> | <pre>[<br> {<br> "excluded_rules": [],<br> "name": "AWSManagedRulesCommonRuleSet",<br> "override_action": "none",<br> "priority": 10<br> },<br> {<br> "excluded_rules": [],<br> "name": "AWSManagedRulesAmazonIpReputationList",<br> "override_action": "none",<br> "priority": 20<br> },<br> {<br> "excluded_rules": [],<br> "name": "AWSManagedRulesKnownBadInputsRuleSet",<br> "override_action": "none",<br> "priority": 30<br> },<br> {<br> "excluded_rules": [],<br> "name": "AWSManagedRulesSQLiRuleSet",<br> "override_action": "none",<br> "priority": 40<br> },<br> {<br> "excluded_rules": [],<br> "name": "AWSManagedRulesLinuxRuleSet",<br> "override_action": "none",<br> "priority": 50<br> },<br> {<br> "excluded_rules": [],<br> "name": "AWSManagedRulesUnixRuleSet",<br> "override_action": "none",<br> "priority": 60<br> }<br>]</pre> | no | | name | A friendly name of the WebACL. | `string` | n/a | yes | | scope | The scope of this Web ACL. Valid options: CLOUDFRONT, REGIONAL. | `string` | n/a | yes | | tags | A mapping of tags to assign to the WAFv2 ACL. | `map(string)` | `{}` | no | ## Outputs | Name | Description | |------|-------------| | web\_acl\_id | The ARN of the WAF WebACL. | <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --> ## Developer Setup Install dependencies (macOS) ```shell brew install pre-commit go terraform terraform-docs pre-commit install --install-hooks ``` ### Testing [Terratest](https://github.com/gruntwork-io/terratest) is being used for automated testing with this module. Tests in the `test` folder can be run locally by running the following command: ```text make test ``` Or with aws-vault: ```text AWS_VAULT_KEYCHAIN_NAME=<NAME> aws-vault exec <PROFILE> -- make test
评论
    相关推荐